Penetration Testing mailing list archives

Re: How to: Check SSL version Numbers remotely

From: thomas springer <tuevsec () gmx net>
Date: Mon, 19 Jun 2006 11:23:06 +0200

Depends, what you mean with Version:

1) Version of SSL-Software/Libs (e.g. OpenSSL 0.9.7e or GnuTLS 1.4.0)
Most of thes are linked with Server-Software, e.g. Apache. You might
grab banners, especially Apache often reports the mod_ssl or
openssl-Versions and check the capabilites of the SSL-Lib (Supported
Protocols and Ciphers). These might give you a hint about software and
version, but neither of these will give you a really trustworthy
version-info of the used ssl-libs. I don't know any relyable method to
check this remote.

2) Version of default (and other supported) SSL-Protocols (e.g. SSL 2.0,
SSL 3.0, TLS 1.0, TLS 1.1)
Use GnuTLS, OpenSSL, a Foundstones SSL-Digger (beware: good, but
ancient!) or the SSL-Check at www.serversniff.net.

3) Version of default (and other supported) Ciphers (e.g. 3DES, AES 128,
RC4 ...)
Use GnuTLS, OpenSSL, a Foundstone SSL-Digger or the SSL-Check at
www.serversniff.net.

thomas

mikeiscool wrote:

On 17 Jun 2006 19:27:42 -0000, 09Sparky () gmail com <09Sparky () gmail com>
wrote:

What is the best way or tool used to check SSL Versions?  I need to
confirm whether or not a remote SSL Server is outdated?



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------

Current thread:

How to: Check SSL version Numbers remotely 09Sparky (Jun 18)
- Re: How to: Check SSL version Numbers remotely mikeiscool (Jun 18)
  - Re: How to: Check SSL version Numbers remotely thomas springer (Jun 19)
    - Re: How to: Check SSL version Numbers remotely frank boldewin (Jun 19)
    - Re: How to: Check SSL version Numbers remotely offset (Jun 19)
    - Re: How to: Check SSL version Numbers remotely John Lampe (Jun 19)
    - Re: How to: Check SSL version Numbers remotely thomas springer (Jun 22)
  - Abers remotely Robert E. Lee (Jun 19)
- Re: How to: Check SSL version Numbers remotely reden () sekure ch (Jun 19)
- RE: How to: Check SSL version Numbers remotely Philippe Bogaerts (Jun 19)
- Re: How to: Check SSL version Numbers remotely Michael Boman (Jun 19)